b"Independent Evaluation of the FDIC's Information Security Program\xe2\x80\x942003\n\n(Audit Report No. 03-040, September 17, 2003)\n\nSummary\n\nAs required by the Federal Information Security Management Act of 2002 (FISMA), we\ncompleted an independent evaluation of the Federal Deposit Insurance Corporation\xe2\x80\x99s (FDIC)\ninformation security program and practices. The FISMA directs federal agencies to report\nannually to the Office of Management and Budget (OMB), the Comptroller General, and the\nCongress on the adequacy and effectiveness of their information security policies, procedures,\nand practices, including compliance with the FISMA. The FISMA also requires agencies to have\nan annual independent evaluation performed of their information security program and practices\nand for agencies to report the results of the evaluation to the OMB. The independent evaluation\nmust be performed by the agency Inspector General (IG) or an independent external auditor as\ndetermined by the IG. The FISMA permanently re-authorized and strengthened the information\nsecurity program, evaluation, and reporting requirements established by the former Government\nInformation Security Reform Act (GISRA), which expired in November 2002. Prior to the\nenactment of the FISMA, our office completed two evaluations of the FDIC's information\nsecurity program and practices as required by the GISRA.*\n\nThe objective of our review was to evaluate the effectiveness of the FDIC's information security\nprogram and practices, including the FDIC\xe2\x80\x99s compliance with the requirements of the FISMA\nand related information security policies, procedures, standards, and guidelines. The evaluation\nfocused on the FDIC\xe2\x80\x99s efforts to improve its information security program relative to the\nbaseline established in our 2002 security evaluation report. As part of our evaluation, we relied\non information security-related audit, review, and evaluation reports issued by our office, the\nU.S. General Accounting Office, the FDIC, and others.\n\nWe concluded that although the Corporation made significant progress in improving its\ninformation security operations in recent years, additional actions were needed to ensure that\ncorporate information resources were adequately protected. Our evaluation report contains\nspecific steps intended to further the Corporation\xe2\x80\x99s efforts to develop and implement information\nsecurity controls that provide assurance of adequate security for its information resources.\n\nManagement Comments\n\nWe provided FDIC management with a draft report summarizing our FISMA evaluation results\non August 25, 2003. We subsequently discussed the report with management officials and made\na number of changes to address their concerns and comments. Because the draft report did not\ncontain formal recommendations, no written response was required from the Corporation.\n\n\n\n*\n    We issued reports entitled Independent Evaluation of the FDIC's Information Security Program Required by the\n    Government Information Security Reform Act, dated September 20, 2001, and Independent Evaluation of the FDIC's\n    Information Security Program\xe2\x80\x942002, dated September 11, 2002.\n\x0cThis report addresses issues associated with information security. Accordingly, we have not\nmade, nor do we intend to make, public release of the specific contents of the report.\n\x0c"